Something You May Have Missed on Christmas Eve

A few hours before Christmas Eve, the National Security Agency released more than a decade’s worth of damning reports on its website. The reports, which had been submitted by the NSA to the President’s Intelligence Oversight Board from 2001 to 2013, purport to cover any activity that could be considered unlawful or contrary to government policy. They included incidents in which individual employees abused their security clearances to target a current or former romantic partner as well as dozens of breaches that resulted from overly broad database queries, along with a lack of rigor in determining whether a foreign intelligence target had entered the United States or held US citizenship or permanent resident status. There were also numerous breaches related to poor data security.

In the documents, which were released in response to a FOIA lawsuit brought by the ACLU, NSA analysts are revealed to be all-too-human bumblers, mistakenly searching on their own information, improperly using colleagues’ credentials, sending highly classified information to the wrong printer, and mistyping email addresses.

There is no evidence in the reports of systematic lawbreaking—not a surprise considering the reports’ author. Instead, the NSA attributes most of its lapses to unintentional human error or technical mistakes.

The National Security Agency on Christmas Eve day released twelve years of internal oversight reports documenting abusive and improper practices by agency employees. The heavily redacted reports to the President’s Intelligence Oversight Board found that NSA employees repeatedly engaged in unauthorized surveillance of communications by American citizens, failed to follow legal guidelines regarding the retention of private information, and shared data with unauthorized recipients.

While the NSA has come under public pressure for openness since high-profile revelations by whistleblower Edward Snowden, the release of the heavily redacted internal reports at 1:30PM on Christmas Eve demonstrates limits to the agency’s attempts to demonstrate transparency. Releasing bad news right before a holiday weekend, often called a “Christmas Eve surprise,” is a common tactic for trying to minimize press coverage.

The reports, released in response to a Freedom of Information Act request submitted by the American Civil Liberties Union, offer few revelations, but contain accounts of internal behavior embarrassing to the agency.

It all also points out how, even with the presumably large number of safeguards present, the range of mistakes that could be and were made. The fact that we only know this due to a "Christmas Eve surprise" should make everyone just a little bit nervous.

From Patrick C. Toomey of the ACLU - NOT the US Senate as quoted by Bloomberg:

The ACLU, which filed a lawsuit to access the reports, said the documents shed light on how the surveillance policies of NSA impact Americans and how information has sometimes been misused.

“The government conducts sweeping surveillance under this authority -— surveillance that increasingly puts Americans’ data in the hands of the NSA,” Patrick C. Toomey, staff attorney with the ACLU’s National Security Project, said in an e-mail.

“Despite that fact, this spying is conducted almost entirely in secret and without legislative or judicial oversight,” he said.

The reports show greater oversight by all three branches of government is needed, Toomey added.

Which got me to thinking about this sentence from NSA's statement:

Executive Order 12333, as amended, requires Intelligence Community elements to report to the IOB, in a manner consistent with Executive Order 13462, as amended, intelligence activities they have reason to believe may be unlawful or contrary to Executive Order or Presidential Directive.

The executive order, signed by President Reagan in 1981 and modified many times since, is the authority relied upon by the intelligence agencies, including the NSA, to conduct surveillance of foreigners outside of the United States. According to recent reports, however, the government relies upon the executive order to sweep up the international communications of countless Americans. For example, it collect billions of records every day containing the location information of mobile phones, including Americans' phones; to harvest the address books of email users; and to sweep up the information of users of Google and Yahoo as it travels between those companies' data centers abroad.

Bulk data collection that occurs inside the United States contains built-in protections for U.S. persons, defined as U.S. citizens, permanent residents and companies. Such collection must be authorized by statute and is subject to oversight from Congress and the Foreign Intelligence Surveillance Court. The statutes set a high bar for collecting the content of communications by U.S. persons. For example, Section 215 permits the bulk collection only of U.S. telephone metadata — lists of incoming and outgoing phone numbers — but not audio of the calls.

Executive Order 12333 contains no such protections for U.S. persons if the collection occurs outside U.S. borders. Issued by President Ronald Reagan in 1981 to authorize foreign intelligence investigations, 12333 is not a statute and has never been subject to meaningful oversight from Congress or any court. Sen. Dianne Feinstein (D-Calif.), chairman of the Senate Select Committee on Intelligence, has said that the committee has not been able to “sufficiently” oversee activities conducted under 12333.

Unlike Section 215, the executive order authorizes collection of the content of communications, not just metadata, even for U.S. persons. Such persons cannot be individually targeted under 12333 without a court order. However, if the contents of a U.S. person’s communications are “incidentally” collected (an NSA term of art) in the course of a lawful overseas foreign intelligence investigation, then Section 2.3(c) of the executive order explicitly authorizes their retention. It does not require that the affected U.S. persons be suspected of wrongdoing and places no limits on the volume of communications by U.S. persons that may be collected and retained.

2.3Collection of Information. Agencies within the Intelligence Community are authorized to collect, retain or disseminate information concerning United States persons only in accordance with procedures established by the head of the agency concerned and approved by the Attorney General, consistent with the authorities provided by Part 1 of this Order. Those procedures shall permit collection, retention and dissemination of the following types of information...
(c) Information obtained in the course of a lawful foreign intelligence, counterintelligence, international narcotics or international terrorism investigation;

There it is. Might not sound like much but if you send an email via Google or Yahoo and it ends up getting stored in a mirror site outside of the US border and there's a "lawful intelligence...investigation" that scoops up all that material, there's no way for you to know that our friends in the NSA don't have access to it.

So while the story about NSA employees searching their exes phone records might be worth a chuckle or two, the bigger picture is this: there's no way to know whether some of your stuff's on file somewhere in the acres of supercomputers operated by NSA.